Privacy Policy

Last updated: 2026-06-02

Jurisdiction: International (when no specific regime above applies)

The text below follows the jurisdiction inferred from your visit. If it does not match where you live, choose another version. This affects legal and support copy only—not account or payment behavior.

Jurisdiction: International

Riorioo ("we," "us," or "our") operates riorioo.com, the MyStore account center, and software products such as KimoShell, KimoTor, and KimoDot (collectively, the "Services"). This Privacy Policy describes how we collect, use, disclose, and protect information when you use the Services. If mandatory local law in your region provides you with additional rights, those rights apply to the extent required by that law.

1. Scope

This Policy applies to personal information processed when you visit our website, create or manage a Riorioo account, download software, purchase subscriptions, use our desktop clients, or contact support.

Third-party services you choose—such as Google Sign-In or Creem payments—are governed by their own privacy policies. This Policy describes Riorioo's processing only.

We may update this Policy from time to time. The "Last Updated" date at the top of this page indicates when it was last revised. Material changes will be communicated as appropriate.

2. Information We Collect

Depending on how you use the Services, we may collect the following categories of information:

  • Account and profile: nickname (required), optional full name, gender, date of birth, avatar, and internal account identifiers;
  • Contact information: email address and/or phone number, depending on your region and choices;
  • Authentication data: email OTP verification records (stored as hashes, not plaintext codes), session tokens (approximately 30 days), and Google OAuth identifiers only if we offer Google Sign-In and you opt in;
  • Purchase and subscription data: order references, product names, plan tiers, entitlement status, license keys and activation records for license-type products (see Section 6), and payment status from Creem—we do not store full payment card numbers;
  • Device information: device name, device identifier, and last active time when you sign in to KimoShell, KimoTor, KimoDot, or other clients (for device limits and security);
  • Client cloud sync: when you enable sync and manually upload, server display names, hosts, ports, usernames, auth modes, and local key paths (not passwords or key contents); app settings fields are described in the Client Cloud Sync section of this Policy;
  • Feedback and support content: messages, contact details, product selection, and files you upload;
  • Technical and usage data: IP address, browser type, operating system, language settings, access logs, referrer, API errors, crash reports, stack summaries, app version, and anonymized feature usage statistics;
  • Security data: failed login attempts, rate-limit events, and signals used to detect abuse or fraud.

3. Information You Submit Voluntarily

When you register, sign in, complete forms, purchase subscriptions, link devices, or send feedback, information you enter is treated as your agreement to this Privacy Policy and your authorization for us to process that information to provide the feature you requested.

Checking agreement to our Terms of Service and Privacy Policy during registration constitutes consent to processing as described here, to the extent consent is required in your region.

You are responsible for the accuracy of information you provide. If you do not agree with this Policy, do not submit personal information.

4. No Proactive Collection of Identity Information Without Permission

Without your permission—or unless permitted or required by applicable law—we do not proactively collect personally identifiable information such as your name, gender, date of birth, avatar, email, phone number, or postal address.

When you browse public pages without signing in or submitting forms, we collect only minimal technical information needed to operate and secure the Services, typically in a form that does not identify you personally.

5. Diagnostics, Crash Logs, and Product Improvement

We collect crash reports, error logs, performance metrics, and related diagnostic data to fix bugs, improve reliability, and understand how features are used.

SSH credentials, private key material, and monitored business data remain on your device or environments you control by default. We do not upload SSH passwords or private keys unless you manually upload under the Client Cloud Sync section or voluntarily include them in feedback (not recommended).

We do not use diagnostic data for cross-context behavioral advertising. We may associate diagnostic data with your account when necessary to respond to support requests you submit.

6. Client Cloud Sync

Desktop clients such as KimoShell, KimoTor, and KimoDot (depending on the product you use) may offer optional cloud sync tied to your signed-in Riorioo account. Sync is split into two independent tracks: **app settings sync** and **server profile sync**, each toggled separately in the client (server profile sync is **off by default**).

**Unless you enable the relevant toggle and manually choose Upload or Pull, we do not upload your server or app settings to the cloud, and we do not automatically merge cloud data into your device.** When the toggle is off, manual sync controls are disabled. You may turn the toggle off or delete cloud copies at any time in client settings.

Cloud sync is available to paid members whose plan includes the feature; server count limits and other quotas follow product documentation and your account entitlements.

  • **Server profile sync (manual upload/pull)**: When you enable “Sync server profiles” and tap “Upload”, we upload your **current local** server list to cloud storage bound to your account and the product (appId). **Upload replaces the entire cloud list.** “Pull” **merges** cloud entries into the local list (deduplicated by host, port, username, etc.) and does not remove local entries that are absent from the cloud.
  • **What server sync includes**: display name, host, port, username, auth mode (password or key), local private-key **file path** (not key file contents), optional OS family label, and client-assigned server IDs.
  • **What server sync excludes**: SSH passwords, private key material, secrets stored in the device keychain/credential store, and business or monitoring time-series data from servers you observe.
  • After pulling on another device, you must **re-enter SSH passwords** or **set a local private-key path** on that device; paths are not portable and we do not sync key files between devices.
  • **App settings sync**: May include language, theme, refresh intervals, panel ordering, and similar preferences (**excluding** proxy host, proxy credentials, and related secrets). App and server sync are independent; enabling app sync does not sync server lists.
  • **KimoShell AI terminal (if used)**: AI prompts may be proxied through Riorioo to third-party model providers. That processing is governed by this Policy and Section 8 on diagnostics; it is **not** the same as server profile cloud sync. Do not paste passwords, keys, or unrelated sensitive personal data into AI chat.
  • **Storage and deletion**: Cloud copies are stored on infrastructure we operate or engage processors to operate, linked to your Riorioo user ID and product appId. You may delete cloud server profiles in the client (local profiles remain; server sync is turned off automatically).
  • **Security note**: Sync improves multi-device workflows but metadata (hosts, usernames) still has disclosure risk. We use encryption in transit and access controls, but cannot eliminate risk from stolen session tokens or compromised devices. Safeguard your account and devices.

7. Cookies and Similar Technologies

We use cookies, Local Storage, and Session Storage to keep you signed in, remember language preferences, prevent CSRF, support checkout flows, and measure anonymous traffic.

You can manage cookies through your browser settings. Disabling essential cookies may affect sign-in and core functionality.

If we use non-essential analytics or advertising cookies in the future, we will disclose them and, where required, obtain your consent.

8. How We Use Information

  • Create and manage your account using email OTP verification (we do not offer password-based login; Google Sign-In only if we offer it and you opt in);
  • Provide downloads, version verification, entitlements, and device linking;
  • Process subscriptions and payments through Creem;
  • Send service, security, and transactional messages (not unsolicited marketing unless you opt in);
  • Respond to feedback and support requests;
  • Monitor security, prevent fraud and abuse, and maintain the Services;
  • Comply with legal obligations and enforce our terms;
  • Provide client cloud sync when you enable it and manually upload or pull (see Client Cloud Sync section);
  • Improve products through diagnostics and aggregated analytics.

9. How We Share Information — No Sale of Personal Information

We do not sell your personal information. We do not share personal information for cross-context behavioral advertising.

We disclose information only as described below or with your consent, or when required by law.

10. Service Providers and Processors

We use trusted providers who process data on our behalf under contractual safeguards, including:

  • Creem — payment processing, subscription management, and billing status;
  • Google — OAuth authentication when you choose Google Sign-In;
  • Cloud hosting, CDN, email/SMS, logging, and monitoring providers — to operate infrastructure and deliver OTP codes and essential notices;
  • Professional advisers or authorities — when legally required or to protect rights and safety.

11. Data Retention

We retain information only as long as needed for the purposes described:

  • Account data — while your account is active and for a reasonable period after deletion, subject to legal holds;
  • OTP records — typically up to 24 hours (hashed);
  • Transaction records — as required for accounting, tax, and consumer protection laws;
  • Logs and diagnostics — typically up to 12 months, or anonymized for longer-term statistics;
  • Support tickets — typically up to 24 months after resolution;
  • Client cloud sync copies (server profile JSON, app settings JSON): usually deleted or anonymized within 30 days after you delete cloud data, disable sync without further uploads, or delete your account, except where longer retention is required by law;

12. Security

We use administrative, technical, and organizational measures such as HTTPS, access controls, and hashed storage for sensitive values like OTP records.

No online service can guarantee absolute security. Protect your verification codes and devices, and notify us of suspected unauthorized access.

13. Your Choices and Rights

Depending on your location, you may have rights to access, correct, delete, or export personal information, opt out of certain processing, or withdraw consent.

You can update many profile fields in MyStore and delete your account there. For other requests, contact us using the details in Section 20.

We will verify your identity before fulfilling requests and respond within timelines required by applicable law.

14. U.S. State Privacy Notice (including California CPRA)

This section applies to residents of U.S. states with comprehensive privacy laws, including California.

Categories collected: identifiers (email, phone, account ID), commercial information (subscriptions, orders), internet or network activity (logs, diagnostics), and inferences limited to security or product improvement—not for cross-context behavioral advertising.

We do not sell personal information and do not share personal information for cross-context behavioral advertising as defined under the California Privacy Rights Act (CPRA).

California residents may have the right to know, access, delete, and correct personal information, and to limit use of sensitive personal information where applicable. Submit requests to the contact below. We will not discriminate against you for exercising privacy rights.

Authorized agents may submit requests on your behalf where permitted by law and verified.

15. International Data Transfers

We may process and store information in countries other than your own. Where required, we use appropriate safeguards such as standard contractual clauses or equivalent mechanisms.

Contact us for more information about transfers relevant to your data.

16. Children

The Services are not directed to children under 13 (or under 16 in certain jurisdictions). Paid purchases require users to be at least 18.

If you believe we have collected information from a child without appropriate consent, contact us and we will take steps to delete it.

17. Third-Party Links

The Services may contain links to third-party websites or services (for example Creem checkout or Google sign-in). Their privacy practices are governed by their own policies.

18. Business Transfers

If we are involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction. We will require the recipient to honor this Policy or provide notice and choices as required by law.

19. Changes to This Policy

We may revise this Policy and will post updates on this page with a new "Last Updated" date. Continued use after changes constitutes acceptance where permitted by law.

20. Contact Us

Questions or privacy requests: [email protected].

Please include your request type and account contact information so we can verify and respond.

Feedback